►
Description
OpenSSF Day at Open Source Summit North America - The Secret Life of Maven Central - Joel Orlina, Sonatype
A
That
commercial's
over
I,
our
next
speaker,
is
Joel
or
Lena,
who
is
sharing
maven's
security.
Journey
Joel
is
an
engineering
manager
at
sonotype
who
just
happens
to
be
a
sponsor,
go
check
out
their
Booth,
where
he
helps
with
the
care
and
feeding
of
the
maven
Central
While,
also
contributing
to
product
development.
Please
join
me
in
welcoming
Joel.
Take
it
away,
sir.
B
So
thanks
for
the
introbe,
my
name
is
Joel
erlina
I'm,
an
engineering
manager
at
sonotype
I've
been
with
sonotype
since
2010
and
as
an
engineer,
manager,
I
support
multiple
teams,
one
of
them
dedicated
to
not
just
the
continue
operations
of
Legacy
services
around
Maven
Central,
but
also
to
some
of
the
future
plans.
B
Some
of
the
new
services
that
we're
building
to
modernize
and
improve
you
know
people's
interactions
with
what
is
the
single
largest
repository
of
Open
Source
components
for
languages
that
Target
the
jvm
I
used
to
say
that
Maven
Central
was
primarily
for
Java
developers,
but
I
think.
The
truth
is
that
if
you
develop
for
Essa
and
Scala
or
in
kotlin
all
these
things
Target
the
jvm
closure.
B
You
know
there
are
Maven
their
components
in
Maven
Central
for
all
of
those
languages,
foreign,
so
I'm
going
to
start
with
some
definitions,
maybe
a
little
bit
of
Storytelling
around
what
I
think
of
when
I
hear
Maven
Central.
When
I
first
gave
this
talk,
it
was
for
a
developer
focused
conference
primarily
for
Java
developers.
I
doubt
that
we
have
a
majority
of
Java
developers
here.
So
I
hope
that
some
of
the
story
resonates
and
gives
you
a
little
bit.
B
You
know
a
larger
background
into
you
know
what
software
package
repository
like
Maven
is
what
it
consists
of
and
what
it
takes
to
run
it
and
to
help
tell
that
story.
After
the
definitions,
I
have
some
high
level
architecture,
I
won't
get
into
the
nuts
and
bolts
I'm
here
at
the
coffee
break
I'll
be
here
for
the
next
few
days
feel
free
to
come.
Find
me
if
you're
actually
interested
in
seeing
more
of
the
nuts
and
bolts
when
I
first
gave
this
talk.
B
I
actually
had
more
time,
so
I
may
actually
skip
Central
by
the
Numbers.
A
little
bit
of
you
know,
statistics
around
growth
around
its
contents
and
I'm
more
than
happy
to
share
that
as
well.
Maybe
if
we
have
time
available,
I
might
come
back
to
them.
What
I
really
want
to
get
to,
though,
is
a
little
bit
of
operational
description.
You
know,
I
think
I've,
seen
many
presentations
today,
where
people
go
back
into
ancient
history,
I'm
going
to
go
back
to
2021,
which
was
a
particularly
eventful
year
for
I.
B
Think
not
just
everybody
here,
certainly
for
the
team
at
Sona
type,
maintaining
Maven,
Central
we'll
go,
take
a
look
at
certain
events
that
punctuated
that
year
and
actually
had
security
ramifications
for
the
way
we
operate.
Central
for
our
users
and
for
us
as
maintainers
and
the
last
few
slides
are
going
to
focus
on
the
future.
B
I
actually
have
a
slide
with
a
prototype
of
sort
of
the
next
generation
of
the
publisher
portal
that
we're
actively
building
there's
a
slide
talking
about
our
involvement
with
openssf,
which
has
been
incredibly
fruitful
to
date,
but
I'll
get
to
that
at
the
end
and
with
luck
time
allowing
I'll
take
a
few
questions
before
letting
everyone
go
off
to
get
coffee,
I
feel
like
I'm
in
the
unenviable
position,
not
just
of
blocking
people
from
caffeine,
but
following
Mr
David
wheeler.
B
Thank
you
that
was
a
fabulous
presentation
and
I
hope
to
I
hope
to
keep
the
energy
going
all
right.
What
is
Maven
Central
so
when
I
get
this
talking
from
Java
developers,
I
have
to
ask
them
to
indulge
me
a
little
bit.
They
already
know
what
it
is.
So
this
illustration
it's
actually
one
of
many
in
a
Wikipedia
article.
If
you
go
on
Wikipedia
and
search
for
blind
man
and
an
elephant
you'll
turn
up
this
great
article
about
a
parable
from
the
Indian
subcontinent.
B
It's
very
old,
the
first
I
think
written
evidence
of
it
is
from
500
BC,
but
purportedly
it's
much
older
than
that,
and
it
tells
the
story
about
five.
Six
Blind
Men
Who,
for
whatever
reason
are
asked
to
describe
an
elephant.
One
of
them
comes
up,
manages
to
wrap
his
arms
around
the
leg
and
says:
oh,
it's
a
mighty
tree
trunk.
The
other
one
grabs
the
tail
and
says.
Oh,
it's
long
like
a
snake,
the
other
one
I
think
grabs
the
Tusk.
Oh
it's
pointy.
It
must
be
a
spear
another
one,
the
ear.
B
Oh,
it's
a
giant
fan
someone
in
the
back
says
it's
a
it's
a
great
wall
and
Java
developers
actually
don't
think
about
Maven
Central
at
all.
The
original
abstract
of
this
talk
was
made
in
central.
It's
like
the
stars.
It's
like
electricity,
you
don't
think
about
it,
because
it's
there,
you
know.
If
it's
dark
and
you
look
up,
you
see
the
stars
yeah
that's
what
may
have
been
Central
is
something
that
operates
all
the
time
without
our
knowing
but
I,
like
the
support.
B
Well,
I
have
as
part
of
my
job,
supporting
the
community
that
uses
mayman,
Central
and
I
get
support,
requests
that
actually
remind
me
that,
depending
on
how
people
use
Maven
Central,
they
have
a
very
different
experience
of
it.
Much
like
six
Blind
Men
and
an
elephant
for
the
most
part
developers.
Those
of
you
here
who
are
Java
developers
will
happily
type
NBN
clean,
install
after
mayman
is
done
installing
and
downloading
the
internet.
You
have
a
jar
file
that
you
can
actually
send
Downstream.
B
We
also
offer
service
and
you'll
see
this
on
the
architecture
slide,
where
we
focus
on
how
people
can
do
a
little
bit
of
research
on
those
components
component
metadata.
You
know
age
and
data,
that's
in
the
pond.
The
project
object
model,
and
that's
also,
you
know,
a
service
that
we
support.
It's
very
different
from
the
other
experiences
of
people
using
Maven
Central
and
that's
you
know
where
most
of
the
overlap
between
this
illustration
and
movement
Central
actually
lies.
B
If
you
read
the
article
you'll
actually
see
that
the
the
parable
kind
of
falls
apart
in
terms
of
applicability,
movement,
Center,
truly
the
blind
man
actually
in
many
cases,
get
into
an
argument.
They
feel
like
their
tiny
appreciation
of
the
elephant
is
the
only
truth
and
they
come
to
blows
in
many
of
the
retellings.
That
I,
don't
think,
has
actually
happened
in
the
Java
Community,
but
I
really
enjoy
the
parable
of
the
Blind
and
elf
and
because
I'm,
not
a
blind
man
I'm.
B
Actually,
someone
who
has
known
this
elephant
for
the
past
12
years
and
has
you
know
been
tasked
with
taking
care
of
it.
This
illustration
is
I.
Think
the
most
chaotic
one
in
the
article
and
it's
my
favorite
I
mean
look,
there's
all
this
stuff
going
on
and
I
think
this
accurately
captures
many
points
of
the
past
12
years
for
me
and
what
have
I
learned
from
you
know
taking
care
of
an
elephant.
B
It's
very,
very
large.
It
is
very,
very
expensive
to
house
to
feed
to
clean
when
it
becomes
unruly,
is
very
difficult
to
calm
it
down
and
make
sure
it
doesn't
hurt
itself
and
the
people
around
it
when
we
get
into
the
2021
year.
Interview
I
hope
that
some
of
these
analogies
become
a
bit
more
clear.
But
this
is
absolutely
you
know
my
favorite
picture
of
blind
man
and
elephant
because
it
really
captures
you
know
some
of
some
of.
A
B
I
think
you
know
there's
one
person
in
there
who's
about
to
die,
and
you
know
I'm,
like
that's
me,
actually
not
today,
but
some
days,
all
right,
very
high
level
architecture
and
apologize.
You
know
if
this
becomes
a
little
bit
too
Java
heavy
I
promise
I'll
try
and
keep
it.
You
know
high
level
for
the
audience
here
and
if
you
want
details
come
find
me
I
mentioned
how
you
know
we
have
different
people
with
different
experiences:
I've
categorized
them
on
the
left
hand,
side,
Publishers,
repo
users.
B
These
are
the
people
who
actually
access
repo
one.mavin.org,
that
is
the
hostname
for
Maven
Central,
and
then
there
are
users
of
search.
These
are
people
who
are
doing
more
of
the
research
style,
and
you
know
more,
you
know
component
metadata
type
lookups,
but
Publishers
actually
interact
with
a
sonotype
product.
Several
instances
of
them
I'll
actually
get
to
how
we
got
to
several
instances
in
the
year
in
review,
but
we
use
Nexus
repository
manager.
It
is
you
know
there
as
a
caching
proxy,
but
there's
actually
functionality
in
the
professional
version
that
we
use.
B
B
This
is
actually
the
area
of
the
maven
ecosystem
that
actually,
where
I
receive,
and
my
team
receive
the
most
interaction
with
customers,
because
we
raise
a
non-trivial
bar
for
people
to
Vault
over
before
they
can
even
publish
we're,
not
letting
you
in
unless
you
can
actually
meet
these
requirements
and
you'll
see
in
the
year
in
life
that
this
has
become.
You
know
a
source
of
you
know
extra
effort
for
us,
but
it's
effort
worth
worth
paying
because
it
involves
you
know
it
ensures
some
baseline
quality
inside
the
Java
ecosystem.
B
Let's
see
traveling
counterclockwise,
you
know,
you'll
see
we
have
our
ubiquitous
Jenkins
icon.
We
use
hosted
instance
of
Jenkins
actually
for
a
lot
of
orchestration.
We
probably
misuse
it,
but
at
the
end
of
a
publishing
you
know
activity
the
bits
end
up
in
an
AWS
S3
bucket
and
S3
can
be
easily
hooked
up
as
the
origin
server
to
any
one
of
a
number
of
cdns.
The
CDN
that
Maven
Central
relies
on
is
fastly.
Fastly
should
be
a
name,
that's
known
to
practically
every
person
who
works
on
a
package
repository.
B
It
is
you
know,
a
top
tier
Global,
CPN
CDN
we've
actually
been
with
them.
I
guess,
since
very
close
to
their
original
founding
they've,
been
an
exceptional
partner
to
tucsonotype
and
they've
grown
quite
rapidly,
but
also
quite
stably.
The
point
I
wanted
to
make
about
this
particular
section
of
the
graph
is
that
you
know
Maven
Central
is
relied
on
by
millions
of
Java
developers,
and
you
know,
depending
on
how
you
know
their
build
practices
are
set
up.
B
You
know,
if
maintenance,
if
you
cannot
download
a
dependency
for
your
build,
your
software
does
not
go
out.
If
that
software
does
not
get
published.
Other
things
start
to
fail,
and
so
the
choice
we've
made
to
actually
to
go
with
fastly
and
then
back
fastly
with
something
like
aws's
S3
is
about
going
with
something
that
is
internet
scale.
You
know
people
were
running
a
package
to
repository,
have
in
the
back
their
minds.
You
know
what
do
we
do?
What
do
we
do
if
the
repo
goes
down?
B
What
do
we
do
if
you
know,
there's
some
sort
of
event
that
takes
one
piece
of
the
infrastructure
down
relying
on
both
AWS
and
fasting
means
that
we
don't
have
to
worry
about
that.
If
S3
goes
down
it
fastly
goes
down,
the
rest
of
the
internet
is
down
with
us.
You've
got
bigger
problems
than
your
build
from
Maven,
not
completing.
B
B
I
believe
this
is
the
AWS
architecture
icon
for
elastic
Beanstalk
search.mayman.org,
which
I'm
not
sure
how
many
people
are
familiar
with
uses
an
index
built
from
the
same
bits
inside
the
repo
origin,
server
and
elastic
Beanstalk
serves
up
the
front
end
and
I'm
not
sure
I'm,
going
to
go
into
too
much
more
detail
on
on
search.
B
We
might
talk
a
little
bit
about
the
functionality
when
we
get
to
the
the
forward-looking
slides.
B
All
right,
Central
by
the
numbers,
I
usually
spend
a
lot
of
time
on
these.
It's
an
elephant,
it's
big!
If
we
have
time
we'll
come
back
to
it,
2021
some
ancient
history
2021
is.
It
was
interesting
for
all
of
us.
I
think
everyone.
You
know
if
you,
if
you
read
ahead
or
go
read
to
the
right
side,
you'll
actually
see
I'm
going
to
spend
some
time
talking
about
the
log
for
Shell
response,
but
we
had
great
plans
for
Maven
Central
and
starting
with
the
team.
B
I
feel
like
you
know,
when
I
started
at
sonotype,
Maven
Central
was
something
that
you
know
our
CTO
co-founder
Brian
Fox
Said
in
between
the
things
I
need
you
to
do.
Normally.
You
should
take
a
look
at
this
repo.
One
thing:
I've
got
a
few
things
that
I
can't
tend
to
now,
and
here
we
are
today
right
and
Maven.
Central
is
now
you
know
larger
than
ever
and
more
important
than
ever
well
in
2021.
I.
B
Think
that
you
know
sonotype
got
to
the
realization
that
the
one
maybe
one
and
a
half
people
who
were
asked
to
keep
the
lights
on
in
between
their
day
job.
Certainly
wasn't
sufficient,
so
we
actually
brought
on
two
devops
Engineers
to
improve
stability
across
some
of
the
services.
I
showed
you
in
the
high
level
architecture.
At
the
same
time,
sonotype
was
undergoing
company-wide.
B
Adoption
of
scrum
is
an
agile
methodology
and
we
actually
did
a
whole
mess
of
backlog,
grooming
and
planning
and
on
February
2
we
kick
off,
kicked
off
Sprint
one
for
Central
team
well
on
February
3
was
the
announcement
that
bintre
was
shutting
down,
and
this
is
something
that
is
definitely
more
in
the
top
of
mind
for
Java
developers,
but
just
so
for
the
people
who
aren't
Java
developers.
Bintry
is
essentially
a
a
competing
open
source
package,
repo
with
a
superset
of
components.
B
So
you
know
more
components
from
other
repositories
than
just
Maven
Central,
so
they
actually
mirrored
Maven
Central
and
then
provided
an
alternate
means
for
people
to
publish
to
Maven
Central
well
on
February
3.
They
decided
they
were
getting
out
of
running
their
repo
and
that
they
were
going
to
shut
down
their
initial
press
releases
weren't
extremely
crisp
about
what
the
migration
plan
was
for
people.
So,
in
the
first
few
days
after
February
3,
there
were
a
lot
of
questions
around
the
community,
but
like
what
do
you
mean
you're?
Shutting
down?
B
Where
are
people
going
to
get
my
components?
Now?
Where
can
we
go?
And
we
sonotype
said
that?
Well,
we
have
an
open
source,
Java
package
repository
you
should
feel
free
to
pump
published
us
here
are
instructions
here
is
the
public
jira
project
where
you
can
sign
up
and
publish,
and
that
started
the
giant
chain
of
events.
I
have
the
link
here.
The
announcement
is
still
up
on
the
internet
and
the
update
says
that
the
the
actual
repo
is
still
live
and
running
there.
B
It's
read
only,
but
they
continue
to
serve
their
artifacts,
which
is
great,
I'm,
actually
quite
relieved
that
that's
the
position
they
ended
up
in,
but
you
know
that
was
that
that's
as
of
right
now,
back
in
February
of
2021,
there
was
a
lot
less
Clarity.
I'm
gonna
highlight
these
two
charts.
The
one
on
the
left
I
want
to
call
out
the
February
to
March.
You
know
giant
stairs
that
that
represents
it.
I
think
20
to
23
increase
in
the
bandwidth
that
users
of
Maven
Central
started
consuming.
B
We
had
always
known
that
there
was
a
significant
amount
of
people
who
were
consuming
exclusively
from
bintry
versus
us,
but
we
never
could
quantify
it,
but
with
the
announcement
was
shutting
down
people
migrating
over
to
Maven
Central
as
the
place
where
they
could
officially
consume
their
artifacts.
We
saw
this
increase
and
you
know
the
good
news
is
that
you
know
thanks
to
fastly.
Being
this,
you
know
capable
partner
and
being
mindful
of
how
important
you
know
their
continuing
to
serve
artifacts.
Are
we
had
no
issues
shouldering
this
load
right?
B
So
this
is
the
sort
of
the
the
the
from
the
perspective
of
the
Machinery
of
the
internet
right
between
fastly
and
people
running
NBN
clean
install
as
long
as
they
were
able
to
find
their
artifacts
on
mayman
Central.
There
were
really
no
blip
in
terms
of
the
quality
of
service
with
the
bin
tray
shutdown.
B
Support
for
Services
related
to
maintenance,
Central
come
through
Ajira,
the
sonotype
runs
issues.sonotype.org
and
we
normally
expect
January
to
be
a
bit
depressed,
as
people
are
still
out
on
holiday.
But
what
we
did
not
expect
was
this
giant
leap.
You
know
in
February
March
and
then
a
leap
up
upward
again
in
April,
and
this
was
all
related
to
activity
around
the
bin
tray
shutdown,
first
off
Publishers,
who
knew
that
the
shutdown
was
coming
and
very
quickly
realized
what
it
meant
to
them
started
signing
up
in
droves
on
our
services.
B
So
this
this
leap
is,
you
know,
the
blue
chart
is
a
specific
issue,
type
called
new
project
and
we
saw
the
new
project
numbers
jump
up
entirely
and
you
know
it
really
looks
like
it
doubled
right
in
January
February.
It
is
sustained
in
February
through
March
and
then
up
again
in
April.
This
other
color
represents
publishing
support.
B
These
are
things
that
aren't
just
I'm
signing
up
for
a
new
project
and
I'll
explain
this
a
little
bit
by
going
back
to
something
that
we
thought
about
when
we
saw
the
the
announcement
that
might
actually
be
very
germane
to
some
open
ssf
topics
that
you
know
that
that
folks
here
may
have
already
heard
about
so
in
the
maven
ecosystem.
We
uniquely
identify
components
with
three
coordinates.
You
know
we
don't
just
have
a
a
name
or
maybe
speak
an
artifact
ID
in
a
version
we
actually
have
a
namespace.
B
That
is
an
umbrella
for
all
of
them,
which
allows
you
to
sort
of
represent
your
organization,
a
group
ID
if
you've
ever
published
a
maven
one
of
the
more
annoying
things.
What
probably
one
of
the
more
necessary
ones
is
to
claim
your
namespace
with
some
sort
of
proof
that
you
are
actually
serious
about
publishing,
and
these
days
we
ask
people
one
to
make
sure
that
their
group
ID
reflects
a
domain
they
own
or
at
least
control.
The
content
for
so
com.j
orlina
I
would
have
to
say
well.
B
I
own
jarelina.com
and
I
would
have
to
submit
to
our
automated
process
a
DNS
txt
record,
who,
with
some
sort
of
record
ID,
to
prove
that
I
own,
that
domain
bin
tray
publishing
DaVinci
did
not
have
any
such
mechanism,
I'm
still
fuzzy
as
to
what
they
accepted
as
proof
of
organization
to
claim
a
namespace,
but
one
of
the
first
things
and
Ryan's
still
there
I
think
it
was
Brian.
Fox
who
came
and
said
to
me
is
like
well,
Mentor
has
been
around
for
a
few
years.
They
don't
have
the
same
validation
process.
B
We
do,
wouldn't
it
be
possible
for
someone
who
knows
that
something
only
exists
on
bin
tray
to
buy
a
domain
that
is
not
owned
by
someone
on
bin
tray
and
then
sign
up
on
Maven
Central.
If
they
were
to
have
done
that,
our
automation
would
have
granted
them
access
to
a
namespace.
They
did
not
own
and,
more
importantly,
to
a
namespace
that
already
had
provenance
somewhere
else
and
was
mature
and
in
use
by
somewhere
else.
So
this
jump
in
human
activity
represents
what
we
did
at
Sonos
had
to
actually
turn
off
that
automation.
B
Ultimately,
it
involved
a
few
tweaks
to
the
automation
whereby
we
would
check
whether
the
project
namespace
existed
on
Maven
Central
already,
and
then
we
would
check
if
it
existed
already
on
bin
tray
and
if
it
did
exist
on
bintry
WE
essentially
threw
it
into
another
manual
workflow,
where
we
said
it
looks
like
you're
trying
to
publish
on
bin
tray.
Well,
if
that's
the
case
we'd
like
for
you
to
acknowledge
that
and
then
to
follow
this
process.
To
get
yourself
signed
up.
B
Now
before
I
go
all
the
way
to
into
the
middle
of
the
year.
I
guess
the
one
last
thing
about
the
bin
tray
shut
down.
The
light
that
I
like
to
call
out
is
that
when
everybody
decided
that
they
needed
to
publish
their
artifacts
Anew
on
Maven
Central,
they
had
to
publish
them
to
one
of
our
Nexus
repository
manager
servers.
We
actually
kind
of
got
dosed
a
little
bit.
We
did
not
realize.
A
B
The
popularity
of
Bin
tray
would
turn
into
all
these
new
requests,
so
between
February,
3
and
February
25,
we
built
up
documentation,
stood
up
new
resources
and
essentially
build
built,
a
new
server
with
zero
tenants
on
it
and
on
February
25.
We
switched
our
process
where,
by
default
we
would
provision
people
on
the
new
and
unloaded
host,
leading
up
to
February
25th.
We
had
continuous
complaints
of
people
saying
my
builds
are
failing,
they're
timing
out
and
we
had
to
unfortunately
explain
to
them.
Yes,
it's
because
you
and.
B
On
bin
train
needs
a
new
home
and
we
did
not
realize
that
we
were
going
to
need
to
scale
this
quickly
and
so
keep
this
in
the
back
of
your
heads.
We're
going
to
revisit
this
at
the
end
of
2021,
all
right,
so
I
actually
I'm
really
glad
that
I.
You
know
in
retrospect
now
you
know
followed
the
David
wheeler
talk
because
of
the
question
about
s-bomb.
B
This
is
something
that
we
turned
on
in
mid-may
of
last
year,
where,
when
you
published
in
mayman
central
when
you
sign
up,
you
are
automatically
opted
in
to
a
workflow
that
will
calculate
an
asthma
I'm,
not
a
perfectly
complete
one,
but
one
of
the
other
open
source
components
in
your
build
that
are
sourced
for
Maven
Central.
We
will
then
send
you
an
email
after
the
successful
release
of
your
build
on
our
servers
with
a
summary
of
what's
vulnerable
and
other.
B
You
know,
weaknesses
and
consistencies
potential
license
threats
inside
that
minimal
s-bomb
and
if
you
click
the
link,
you
get
a
detailed
report.
So
you
know
when
David
said
the
s-bomb,
not
the
Silver,
Bullet
right,
you
know
just
because
it
says.
What's
in
there
doesn't
mean
you
know
what
to
do
with
it.
We're
trying
to
you
know,
introduce
a
little
bit
of
silver
here.
Where
look?
You
know,
we
don't
know
where
the
fixes
are
yet,
but
we
know
that
you
are
consuming
this
version.
That's
vulnerable,
this
version
that
has
a
license.
B
It's
maybe
a
little
bit
copy
leftish.
You
might
want
to
take
a
look
at
it
and
this
is
free
for
anyone
who
publishes
to
mayman
Central
201
continue
to
be
free,
you
know,
and
for
as
long
as
we
run,
you
know
a
publishing
stack
for
Maven
Central.
B
Here
we
go
It's
The
End
of
2021
people
are
getting
ready
for
holiday
and
guess
what
no
one's
going
to
take
a
holiday,
because
the
internet's
about
to
break
in
a
horrible
way
so
I
feel
like
it
takes
me
some
effort
now
to
remember
what
happened
at
the
end
of
last
year,
so
bear
with
me,
while
I
try
to
tease
everything
apart
first
off,
we
had
to
upgrade
all
of
our
software
as
soon
as
the
Apache
software
Foundation,
you
know,
cleared
up,
which
versions
were
not
vulnerable.
B
We
made
sure
that
any
of
the
running
services
of
Maine
Central
were
in
fact
upgraded
to
use
patch
versions
of
vlog4j
that
didn't
take
too
much
time.
What
ended
up
consuming
all
the
time
was
realizing
that,
even
though
we
had
what
10
months
to
have
people
move
to
our
new
and
unloaded
server,
it
is
amazing
that
all
the
people
who
were
on
the
old
server
decided
we
have
to
upgrade
all
of
our
dependencies
as
well.
B
We
all
have
to
publish
new
versions
of
our
software,
so
the
same
timeouts,
the
same
failures
Publishers
actually
all
had
to
deal
with
in
February
we
dealt
with
all
over
again
in
December,
and
this
time
it
felt
much
worse,
I
feel
like
oss.notype.org,
which
is
the
main
host
that
we
published.
It
was
underwater
for
three
straight
days
and
we
actually
had
to
get
volunteers
from
other
development,
devops
and
SRE
teams
at
Sona
type
to
essentially
man
our
jira
and
say
hey.
We
saw
that
you
were
having
trouble
publishing
the
oss.notype.org.
B
Would
you
like
to
migrate
to
the
new
host
and
yeah
I?
Remember
you
know
five
people
showing
up
to
a
zoom
call
on
Saturday
morning
and
by
having
to
tell
them.
This
is
just
in
case.
We
have
more
people
to
migrate,
but
you
know
we
did
it.
We
got
people
moved
to
the
new
host
and
thankfully
we
had
learned
the
lessons
from
February
on
how
to
quickly
scale
and
what
process
to
follow
to
move
them.
The
slides
themselves
don't
illustrate
any
of
that.
B
These
are
actually
from
our
log4j
vulnerability,
Resource
Center,
where
we
actually
continue
to
calculate
stats.
There
were
still
vulnerable
versions
of
log4j
being
downloaded,
not
not
the
fault
of
the
log4j
project.
It's
just
people
still
haven't
gotten
the
message
and
upgraded
all
right,
I
think
I
have
five
minutes
left
to
quickly
go
through
the
future.
Direction
I
mentioned
that
Central
team
is
actually
actively
building
for
the
future.
We've
got
I
believe
two
front-end,
two
back-end
developers
and
a
tech
lead
all
trying
to
build
the
new
Central
portal.
B
That
is
going
to
be
what
we
hope
is
a
centralized
place,
not
just
for
consuming
metadata
about
the
artifacts,
but
also
publishing.
To
that
end,
we'll
need
to
build
a
better
sign
up
and
identity
management
process.
This
is
a
thing
that
we
care
so
strongly
about,
especially
in
light
of
all
the
issues
that
we've
seen
recently
like.
Do
you
really
belong
this
project?
Should
you
have
access
to
this
group
ID,
so
organizational
identity
management
is
definitely
top
of
mind.
B
We
are
also
trying
to
launch
new
bits
of
data
products,
including
component
popularity
and
categorization.
We're
still
toying
with
how
popularity
is
defined.
Is
it
raw
downloads?
Is
it
the
liveness
of
the
project?
We
have
a
research
and
analytics
team
at
sonotype
that
has
categorized
many
of
the
most
popular
Open
Source
Products
and
the
screenshots
will
illustrate
that.
But
before
I
go
to
the
screen,
I
do
want
to
just
shout
out
to
open
ssf
and
the
securing
software
repositories.
B
Working
group
I've
had
the
pleasure
of
attending
a
couple
of
those
meetings
now
I
believe
there
are
every
two
weeks
they
alternate
between
the
emea
friendly
and
the
APAC
friendly,
but
I
I
stay
up
late
to
hang
out
on
the
APAC
call
and
they've
all
been
terribly
welcoming,
and
it's
been
wonderful
to
sort
of
build
empathy
with
them.
You
know
these
problems
that
we
saw
in
2021
aren't
unique
to
us.
You
know
there
are
certain
things
that
we
were
better
prepared
for,
but
we
are
all
learning
from
each
other.
B
So
the
last
thing
I
have
here
is
an
actual
screenshot
from
our
staging
server
and
it
has
a
section
for
most
popular
packages.
In
the
last
90
days,
most
popular
name
spaces
popular
categories
and
yeah.
So
far
it
looks
a
lot
like
search.mayman.org
look
up
things
by
group.
Id,
artifact,
ID
and
version
see
some
details
on
recent
releases,
but
this
will
eventually
be
that
One
Stop
Shop,
where
you
can
consume
information
about
the
artifacts
and
also
publish
new
information.
B
B
Right
now
we
require
pgp
signatures,
but
you
know
it's
all
decentralized
and
sort
of
the
tooling
around
verification
is
something
that
we've
never
been
great
at,
and
it's
super
great
to
be
working
with
everyone
at
six
store
to
actually
have
something
centralized
that
we
can
all
leverage
across
ecosystems
slide
in
case
people
are
interested
in
helping
I
think
all
the
presentations
have
the
how
you
can
help.
B
If
you
would
like
to
contribute
to
the
Future
face
and
requirements
for
Central,
we
actually
have
a
Google
form
for
you
to
sign
up
Central,
Dash,
beta.sonotype.org
and
then
because
I'm
here
you
know
and
I
have
I,
don't
know,
maybe
a
minute
or
two
for
one
or
two
questions:
okay,
I'll,
take
them
now
or
outside
of
the
coffee
break,
but
I
will
leave
on
this
slide,
which
is
an
upcoming
soda
type
event
all
day.
Devops.
It's
a
thing.
There
are
folks
here
who
are
instrumental
in
building
it.
Yes,
in
the
back
Mr
Wheeler.
B
A
quick
question,
I
understand,
I,
understand
the
challenge
of
trying
to
determine
whether
or
not
somebody
who's
on
the
domain.
Have
you
thought
about
trying
to
reused
parts
of
the
acne.
B
Well,
it's
it's
amazing,
because
that
is
actually
one
of
the
first
things
we
looked
at.
It's
like
you
know
we
we
did
something
less,
you
know
I
guess
less
involved.
We
do
ask
them
to
add
the
DNS
txt
record,
but
it's
the
same
ID.
That's
in
the
issue
that
they
signed
up
I
actually
feel
that
if
we
had
more
time
to
build
in
our
Legacy
stack,
we
would
have
probably
taken
that
track
and
you
know
been
more
Acme
like,
but
you
know
for
the
future.
B
B
So
the
question
is
whether
we
plan
to
do
any
extra
validation,
not
just
ownership
of
the
movie,
but
you
know
the
the
people
who
you
know
who
who
own
the
name,
maybe
the
trademark
right
I-
think
that
that's
certainly
on
the
table.
That's
always
the
question
that
comes
up
is
that
you
know
great
you've
just
asked
me
to
follow
jump
through
another
hoop.
You
know
well
what
if
my
domain
is
expired
right
and
so
I'll
share
something
with
with
folks
here
that
isn't
apparent
in
our
documentation.
B
We've
been
fortunate
in
that
you
know.
We've
come
from
an
area
of
extremely
you
know,
High
manual
process.
Historically,
so
if
you
were
the
first
person
to
sign
up
for
a
namespace
Amendment
Central,
you
automatically
become
the
person
who
is
allowed
to
acknowledge
that
other
people
can
sign
up.
We
actually
turn
off
the
automated
validation,
so
in
cases
where
there's
a
long
history,
where
we
kind
of
know
who's
actually
signing
it
up
that
served
us
really
well,
but
I
think
that
this
is
only
going
to
become
more
critical
moving
forward.
B
B
B
They
are
already
supported.
It
is
actually
the
quickest
path
to
publishing
new
Maven
Central
sign
up
for
io.github.jorlina,
and
we
will
actually
ask
you
create
an
empty
repo
with
your
ossrhid
and
you
will
get
automatically
provisioned.
We
also
support
this
for
bitbucket
gitlab
get
tea
for
you
know,
which
is
a
Chinese
repository
and
I.
Think
one
more
that
escapes
me
right
now,
so
yeah
you
don't
have
to
own
a
domain
to
publish
Maven
Central.
Just
have
you
know
GitHub
account.
B
I
do
feel,
like
you
know,
there's
lots
of
opportunity
there,
like
we're
already
looking
at
that,
you
know
using
sort
of
whatever
GitHub
exposes
in
terms
of
organizational
management
and
authorization
that
may
actually
help
us
too
verified
by
GitHub
might
be
the
thing
where
we're
like
yeah
github's
verified
you.
We
should
probably
trust
that
as
well.